lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20120110165440.GA6034@thunk.org>
Date:	Tue, 10 Jan 2012 11:54:40 -0500
From:	Ted Ts'o <tytso@....edu>
To:	Xi Wang <xi.wang@...il.com>
Cc:	Andreas Dilger <adilger.kernel@...ger.ca>,
	linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Subject: Re: [PATCH RESEND] ext4: fix undefined behavior in
 ext4_fill_flex_info()

On Mon, Jan 09, 2012 at 06:47:20PM -0500, Xi Wang wrote:
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
> 
> 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 
> 	if (groups_per_flex < 2) { ... }
> 
> This patch fixes two potential issues in the previous commit.
> 
> 1) The sanity check might only work on architectures like PowerPC.
> On x86, 5 bits are used for the shifting amount.  That means, given a
> large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
> is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
> leaving s_log_groups_per_flex and groups_per_flex inconsistent.
> 
> 2) The sanity check relies on undefined behavior, i.e., oversized shift.
> A standard-confirming C compiler could rewrite the check in unexpected
> ways.  Consider the following equivalent form, assuming groups_per_flex
> is unsigned for simplicity.
> 
> 	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
> 	if (groups_per_flex == 0 || groups_per_flex == 1) {
> 
> We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
> completely optimize away the check groups_per_flex == 0, leaving the
> patched code as vulnerable as the original.  GCC keeps the check, but
> there is no guarantee that future versions will do the same.
> 
> Signed-off-by: Xi Wang <xi.wang@...il.com>
> Cc: stable@...r.kernel.org

Thanks, applied.  And thanks for the expanded commit description!

		      	     	     - Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ